Systems and methods for embodiments of a graph based artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may utilize a network graph approach to analyzing identities or entitlements of a distributed networked enterprise computing environment. Specifically, in certain embodiments, an artificial intelligence based identity management systems may utilize the peer grouping of an identity graph (or peer grouping of portions or subgraphs thereof) to identify roles from peer groups or the like.
Legal claims defining the scope of protection, as filed with the USPTO.
1. An identity management system, comprising: a graph data store; a processor; a non-transitory, computer-readable storage medium, including computer instructions for: obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment; evaluating the identity management data to determine the set of identities and a set of entitlements associated with the set of identities; generating a first identity graph from the identity management data by: creating a node of the first identity graph for each of the determined set of identities and each of the determined set of entitlements, for each first identity and second identity that share at least one entitlement of the set of entitlements, creating a first edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity; generating a first similarity weight for each first edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node; for each first entitlement and second entitlement that share at least one identity of the set of identity, creating a second edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity; generating a second similarity weight for each second edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node; storing the first identity graph in the graph data store; pruning the set of first edges or the set of second edges of the first identity graph to generate a second identity graph based on the similarity weight associated with each of the first edges or second edges of the first identity graph and a pruning threshold; storing the second identity graph in the graph data store; clustering the set of identities represented by the nodes of the second identity graph into a set of identity peer groups or the set of entitlements represented by the nodes of the second identity graph into a set of entitlement peer groups, wherein the clustering is based on the second identity graph, including the nodes of the second identity graph representing the set of identities or set of entitlements, the first edges of the second identity graph or the second edges of the second identity graph, and the similarity weights of each of the first edges or the second edges of the second identity graph; receiving a role mining request; determining a role from an identity peer group of the set of identity peer groups or an entitlement peer group of the set of entitlement peer groups, where the role comprises a set of entitlements determined from the identity peer group or the entitlement peer group; and returning the role to a user through an interface.
2. The system of claim 1 , wherein the role mining request includes a scoping attribute and the instructions are further for determining a subgraph of the second identity graph based on the scoping attribute, wherein the identity peer group or the entitlement peer group is associated with the determined subgraph.
3. The system of claim 2 , wherein determining the subgraph comprises searching the second identity graph to determine identity nodes of the second identity graph associated with the scoping attribute, the subgraph including the determined identity nodes.
4. The system of claim 1 , wherein the first identity graph and the second identity graph are not generated until the role mining request is received.
5. The system of claim 4 , wherein the role mining request includes a scoping attribute, and evaluating the identity management data to determine the set of identities and the set of entitlements associated with the set of identities comprises searching the identity management data based on the scoping attributed to determine the set of identities associated with the scoping attribute and the set of entitlements associated with the set of identities.
6. The system of claim 4 , wherein determining a role from the identity peer group comprises extracting the set of entitlements of the role from entitlements associated with the identities of the identity peer group.
7. The system of claim 6 , wherein extracting the set of entitlements comprises determining that each of the set of entitlements associated with the identities of the identity peer group exceed an extraction threshold, and for a particular entitlement of the set of entitlements the determination of whether the particular entitlement exceeds the extraction threshold is based on a number of identities of the identity peer group that have share that entitlement.
8. A method, comprising obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment; evaluating the identity management data to determine the set of identities and a set of entitlements associated with the set of identities; generating a first identity graph from the identity management data by: creating a node of the first identity graph for each of the determined set of identities and each of the determined set of entitlements, for each first identity and second identity that share at least one entitlement of the set of entitlements, creating a first edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity; generating a first similarity weight for each first edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node; for each first entitlement and second entitlement that share at least one identity of the set of identity, creating a second edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity; generating a second similarity weight for each second edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node; storing the first identity graph in the graph data store; pruning the set of first edges or the set of second edges of the first identity graph to generate a second identity graph based on the similarity weight associated with each of the first edges or second edges of the first identity graph and a pruning threshold; storing the second identity graph in the graph data store; clustering the set of identities represented by the nodes of the second identity graph into a set of identity peer groups or the set of entitlements represented by the nodes of the second identity graph into a set of entitlement peer groups, wherein the clustering is based on the second identity graph, including the nodes of the second identity graph representing the set of identities or set of entitlements, the first edges of the second identity graph or the second edges of the second identity graph, and the similarity weights of each of the first edges or the second edges of the second identity graph; receiving a role mining request; determining a role from an identity peer group of the set of identity peer groups or an entitlement peer group of the set of entitlement peer groups, where the role comprises a set of entitlements determined from the identity peer group or the entitlement peer group; and returning the role to a user through an interface.
9. The method of claim 8 , wherein the role mining request includes a scoping attribute and the instructions are further for determining a subgraph of the second identity graph based on the scoping attribute, wherein the identity peer group or the entitlement peer group is associated with the determined subgraph.
10. The method of claim 9 , wherein determining the subgraph comprises searching the second identity graph to determine identity nodes of the second identity graph associated with the scoping attribute, the subgraph including the determined identity nodes.
11. The method of claim 8 , wherein the first identity graph and the second identity graph are not generated until the role mining request is received.
12. The method of claim 11 , wherein the role mining request includes a scoping attribute, and evaluating the identity management data to determine the set of identities and the set of entitlements associated with the set of identities comprises searching the identity management data based on the scoping attributed to determine the set of identities associated with the scoping attribute and the set of entitlements associated with the set of identities.
13. The method of claim 11 , wherein determining a role from the identity peer group comprises extracting the set of entitlements of the role from entitlements associated with the identities of the identity peer group.
14. The method of claim 13 , wherein extracting the set of entitlements comprises determining that each of the set of entitlements associated with the identities of the identity peer group exceed an extraction threshold, and for a particular entitlement of the set of entitlements the determination of whether the particular entitlement exceeds the extraction threshold is based on a number of identities of the identity peer group that have share that entitlement.
15. A non-transitory computer readable medium, comprising instructions for: obtaining identity management data from one or more identity management systems in a distributed enterprise computing environment, the identity management data comprising data on a set of identities and a set of entitlements associated with the set of identities utilized in identity management in the distributed enterprise computing environment; evaluating the identity management data to determine the set of identities and a set of entitlements associated with the set of identities; generating a first identity graph from the identity management data by: creating a node of the first identity graph for each of the determined set of identities and each of the determined set of entitlements, for each first identity and second identity that share at least one entitlement of the set of entitlements, creating a first edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity; generating a first similarity weight for each first edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node; for each first entitlement and second entitlement that share at least one identity of the set of identity, creating a second edge of the first identity graph between a first node representing the first identity and a second node of the identity graph representing the second identity; generating a second similarity weight for each second edge of the first identity graph between each first node and second node based on a number of the set of entitlements shared between the first identity represented by the first node and the second identity represented by the second node; storing the first identity graph in the graph data store; pruning the set of first edges or the set of second edges of the first identity graph to generate a second identity graph based on the similarity weight associated with each of the first edges or second edges of the first identity graph and a pruning threshold; storing the second identity graph in the graph data store; clustering the set of identities represented by the nodes of the second identity graph into a set of identity peer groups or the set of entitlements represented by the nodes of the second identity graph into a set of entitlement peer groups, wherein the clustering is based on the second identity graph, including the nodes of the second identity graph representing the set of identities or set of entitlements, the first edges of the second identity graph or the second edges of the second identity graph, and the similarity weights of each of the first edges or the second edges of the second identity graph; receiving a role mining request; determining a role from an identity peer group of the set of identity peer groups or an entitlement peer group of the set of entitlement peer groups, where the role comprises a set of entitlements determined from the identity peer group or the entitlement peer group; and returning the role to a user through an interface.
16. The non-transitory computer readable medium of claim 15 , wherein the role mining request includes a scoping attribute and the instructions are further for determining a subgraph of the second identity graph based on the scoping attribute, wherein the identity peer group or the entitlement peer group is associated with the determined subgraph.
17. The non-transitory computer readable medium of claim 16 , wherein determining the subgraph comprises searching the second identity graph to determine identity nodes of the second identity graph associated with the scoping attribute, the subgraph including the determined identity nodes.
18. The non-transitory computer readable medium 15 , wherein the first identity graph and the second identity graph are not generated until the role mining request is received.
19. The non-transitory computer readable medium of claim 18 , wherein the role mining request includes a scoping attribute, and evaluating the identity management data to determine the set of identities and the set of entitlements associated with the set of identities comprises searching the identity management data based on the scoping attributed to determine the set of identities associated with the scoping attribute and the set of entitlements associated with the set of identities.
20. The non-transitory computer readable medium of claim 18 , wherein determining a role from the identity peer group comprises extracting the set of entitlements of the role from entitlements associated with the identities of the identity peer group.
21. The non-transitory computer readable medium of claim 20 , wherein extracting the set of entitlements comprises determining that each of the set of entitlements associated with the identities of the identity peer group exceed an extraction threshold, and for a particular entitlement of the set of entitlements the determination of whether the particular entitlement exceeds the extraction threshold is based on a number of identities of the identity peer group that have share that entitlement.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 28, 2019
February 4, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.